Worm Threat Forces Apple To Disable Software?

SkiifGeek writes "After the debacle that surrounded the announcement and non-disclosure of a worm that targets OS X, the vulnerability in mDNSResponder may have forced Apple to remove support for certain mDNSResponder capabilities with the recently released Security Update 2007-007. 'Seeming to closely follow the information disclosed by InfoSec Sellout, Apple's mDNSResponder update addresses a vulnerability that can be exploited by an attacker on the local network to gain a denial of service or arbitrary code execution condition. Apple goes on to identify that the vulnerability that they are addressing exists within the support for UPnP IGD... and that an attacker can exploit the vulnerability through simply sending a crafted network packet across the network. With the crafted network packet triggering a buffer overflow, it passes control of the vulnerable system to the attacker. Rather than patching the vulnerability and retaining the capability, Apple has completely disabled support for UPnP IGD (though there is no information about whether it is only a temporary disablement until vulnerabilities can be addressed).'"

*Pulls out a plate 'o crow*

[Anonymous Coward]

Come here Apple fanboys-and-girls. Lunch is served.

Re:

[teknopurge]

I wonder who wrote the UPnP spec - perhaps they are the ones at fault? (*cough*BILL GATES' University of chair-throwing throwers*cough*)

Re:

[BuhDuh]

I wonder who wrote the UPnP spec - perhaps they are the ones at fault? (*cough*BILL GATES' University of chair-throwing throwers*cough*)

I don't think the issue is the spec, it's the asinine cute features that M$ decided to implement. Like UPnP, BHO, etc etc. Maybe we should follow Apple's example, and eliminate all vulnerabilities by disabling the TCP/IP stack?

Re:

[joeytmann]

GO APPLETALK!

Re:

[teknopurge]

Looks like Apple just followed Wikipedia [wikipedia.org]:

Problems with UPnP * UPnP uses HTTP over UDP (known as HTTPU and HTTPMU for unicast and multicast), even though this is not standardized and is specified only in an Internet-Draft that expired in 2001. [1] * UPnP does not have a lightweight authentication protocol, while the available security protocols are complex. As a result, many UPnP devices ship with UPnP turned off by default as a security measure.

Re:

[Nullav]

You mean like how MS crippled the stack in SP2 by lowering the cap on half-open connections to 10 to slow worm propagation? (I know there are times when a solution isn't always immediately obvious, but I'd rather not have my OS force me to live in a bubble.)

Re:

[ehrichweiss]

What I loved about M$ crippling the stack was that if you do the math/iterations, any worm could still propagate within 60 seconds or so making the move ineffective at best.

Re:wait a minute

[Sparks23]

Realistically, no OS is completely secure. This is hardly the first security issue in OS X, nor will it be the last. Linux has had its share of security flaws, too.

In the modern world, there are simply too many protocols and systems popping up; no operating system exists in a vacuum, and many vulnerabilities may be in services, subsystems and so on. And with the pressure to get things out and shave off extra CPU cycles, there are too many situations where someone simply goes 'oh, well, I checked that this data is valid up HERE, so I don't need to check again down here in this function I call later,' and then later another piece of code goes, 'oh, look, here is a function that does what I need, I will just reuse it' and assumes that function does its own error-checking, so does not check the data before passing into it. And thus, you create a pathway where unvalidated data gets passed down and can cause buffer overflows or whatever.

No operating system or development team is somehow inherently immune to this.

The thing is that Windows not only has kept large chunks of legacy code -- which makes it hard to really break down and restrict user permissions without breaking older programs -- but spent some time really pushing the Active X technology, which then proved to create a lot of problems. Apple, on the other hand, went off the tracks entirely and threw out their operating system; that was a risky move which could have killed them off entirely, but in the end they got an operating system which was built atop a multi-user system with better permissions.

That does not mean that Apple somehow writes inherently better code than Microsoft; I happen to like OS X, but Apple's engineers are not necessarily smarter or more careful in the actual lines of code they write. The difference as I see it is that Microsoft is bogged down by hard-to-debug and support legacy code, while Apple got to make a cleaner start... and then on top of that, many bits of OS X (CUPS, zeroconf/Bonjour, WebKit, etc.) are open source.

Apple contributes funds and engineering to these projects (and in some cases such as zeroconf, came up with the original specifications), but as they are open source things tend to get found and fixed faster in community review. That is why OS X, while not bulletproof, tends to be at least a bit more secure than Windows.

That is my take on it, anyway.

Re:

[toddestan]

Not that I'm defending macs in any way, but you do realize that there have been quite a few remote exploits (in the wild, not theoretical) that require nothing other than having a windows computer online and having its card pulled by another infected machine, right? It's not about if you're "smart" enough not to click on something, but if you were a bit brighter you'd already know that.

Those days are also over (atleast for the most part). Windows now comes with its firewall on by default, and those wide op

Re:*Pulls out a plate 'o crow*

[fermion]

This is what should happen. Fix it, or remove the feature, or at least make it optional. This is what Apple normally does. It does not ship with all ports open and sharing on.

I hope this indicates a return to sensibility at Apple. Lately they are trying so hard to be like MS, that the security has suffered. Can't turn off HTML in email is at the top of my security vulnerabilities.

Re:

[LKM]

Why do the Apple haters have to turn every /. article about Apple vulnerabilities into a braindead hatefest? It makes the discussions useless and unreadable. Please stop. thanks.

News at 11...

[maztuhblastah]

Researchers find hole, act like 1337 733ns about it. Company can't be sure that they've fixed hole, so they temporarily disable the reportedly-vulnerable function.

Yawn.

So UPnP means

[commodoresloat]

UnPlug n Play

Re:

[owndao]

Yawn, truly. If one reads the Apple patch notes they say quite plainly:

mDNSResponder CVE-ID: CVE-2007-3744 Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10 Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Mac OS X implementation of mDNSResponder. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by removing UPnP IGD support. This issue does not affect systems prior to Mac OS X v10.4.

If one reads the entire note there were other, more noteworthy, bugs addressed rather than one that would take great care to craft and would have to be deployed on your LAN. Also, the derogatory terms used to refer to people who have an operating system preference are reminiscent of my three year old calling someone "poopie butt." Save us all.

Re:

[Jeremy_Bee]

Isn't it interesting that Slashdot threads that have anything to do with the adventures and histrionics of David Maynor instantly become peppered with a large number of idiotic, unsupported comments railing against Apple and "Apple FanBoiz," made by a variety of Slashdot accounts that rarely show up commenting on anything else?

Here is a hint: A pretend army of supporters is still a pretend army.

Isn't it fascinating to watch as shitty comments (like we see above), vacillate back and forth between "+5 Insight

Re:

[mikeabbott420]

The configurable spam filter would be a great idea for slashdot.

I can think of a lot of phrases that would increase the signal to noise ratio (for me) if I could use them to exclude noise.

I believe a site mandated filter would be both useless and undemocratic.

configurable filter for slashdot

[commodoresloat]

I can't wait to see that...

Mark as spam if message contains:
[x] fanboy/fanboi
[x] goatse
[x] 17 megabyte file
[ ] Kreskin
[x] Soviet Russia
[x] Profit!
[x] Beowulf
[x] I, for one
[x] hot grits
[ ] CowboyNeal

Re:

[cp.tar]

I can't believe you forgot the GNAA.

By the FSM's Noodly Appendage, those walls of text are annoying...

Re:

[d34thm0nk3y]

Here is a hint: A pretend army of supporters is still a pretend army.

Isn't it fascinating to watch as shitty comments (like we see above), vacillate back and forth between "+5 Insightful" and "Flamebait" as the pretend army fights the good fight against Apple "FanBoiz" everywhere?

A pretend army that happens to have mod points. Interesting...

Re:

[node 3]

A pretend army that happens to have mod points. Interesting...

Mod points *are* pretend, or at least more pretend than the things they are modding.

He's specifically referring to (I gather) the "pretend war" that is going on over the modding of the comments, which are the "real war". This is especially interesting since modders can not (directly) participate in the discussion.

In a way, it's a lot like some sort of imaginary battle in the heavens in which gods are fighting to help their human followers on the battlefield.

Re:

[Jeremy_Bee]

Okay, I'm picking out the most personally offensive "Coward" post to respond to here ... :-)

Only a twelve year old would seriously think that saying someone is a "fanboy" is an effective retort to an informed argument that person is making.

I am not "hurt" by the fanboi language. The very idea is a sop to those who would use the term in that it positions the person so "hurt" as a bit of a fop themselves, (or gay, or female), all of which are the standard juvenile kind of associations that people who use the

New PC "language"

[CustomDesigned]

Soon you'll be able to take advanced courses on "1337 5p34" to supplement those on "ebonics".

Re:

[Wooky_linuxer]

I modded you overrated but I prefer to reply to your post. Most /.s know what "leet speak" looks like. The poster you're referring to uses it with an obvious negative connotation, so it is clear he isn't endorsing it - rather he is accusing the researchers of acting as immaturely as teens who supposedly brag over themselves and use "leet speak".

If you can't understand that, at least type - and search - correctly. Had you Googled for "1337" instead of "1336", all the top hits would've shown you what was goi

Re:News at 11...

[gutter]

Hello, Artie McStrawman! Sure, there are a few idiots out there that believe that OS X is infallible - there are also some idiots out there that believe the same about windows or linux. However, you aren't likely to find them around here. You'll find plenty of people that believe that OS X is MORE secure than the some of the alternatives, largely because their heavy use of open source and their default configuration that ships with no open ports, but very few that think it is "inherently secure".

The proof is in the number of successful worms and viruses for OS X, which depending on how you define them, hover right around zero. Yes, some of this is likely because of market share, but there's plenty of bragging rights associated with creating the first large-scale OS X compromise, so I wouldn't expect to see none. And of course, even if the relatively low number of security issues is because of market share, it doesn't make it any less pleasant for those of us who use OS X, especially since I'm not expecting it's share to go over 15-20%.

Anyway, if I accept your statement that OS X isn't perfect, will you stop bitching about smug mac users every time there is a discussion marginally related to Apple?

Thanks,
gutter

Re:

[dave420]

How about if Mac users stop being smug, people who dislike smugness stop bitching about it? That seems fair.

Re:News at 11...

[sl3xd]

Smugness is in the eye of the beholder; unfortunately, there's often nothing that can be done either way, as a great many people aren't able to accept that something other than their chosen product (or OS in this case) might have something that theirs doesn't.

In other words, Ford Mustang owners tend to see Chevy Corvette owners as smug. Neither side is really willing to appreciate that each has advantages the other doesn't possess, and can't stand it when somebody highlights the advantage. That isn't ever going to change

I don't see how the situation is any different when an operating system is concerned, rather than a brand of vehicle.

Here's a news flash: OS X has advantages over Windows, Linux, and FreeBSD. OS X can brag about security, because there is a far smaller percentage of its users that have infected, compromised, or zombified machines. Ffind reasons to discount that fact is meaningless: It doesn't matter if the number of attackers is smaller; the goal is to not fall victim to an attack, which OS X has an excellent record of doing.

Here's another one: Macintoshes have disadvantages: They don't have as much native software. A virtualization product like VMware or Parallels is a rare sight on Windows, yet is quite common on a Macintosh. There's always some app that only exists for Windows that the user can't live without. So Mac users not only pay $130 for OS X, but also $80 for a virtualization product, and then they have to buy the most expensive license for Windows. Mac software doesn't enjoy the "freedom" that most Linux users enjoy; much of the software for the Mac is closed-source.

Still, you don't have to like it when OS X users dismiss the advantages of other OSes (like the amount of software for Windows, or the freeness of Linux).

Just take the time to realize that's it's a different flavor of the time-honored "Chevy vs Ford" debate. What is "better" depends on the way the beholder sees things, and it's childish to believe that there's only one true way.

Re:

[MikeBabcock]

Here's a bigger news flash: a lack of exploited vulnerabilities is not the same thing as having better security.

For example: the fact that nobody has ever put a sniper bullet through a sheet of plastic wrap in the battlefield does not mean you should wrap your soldiers in it.

OS X may or may not be more secure than other systems, but that should be on the basis of something tangible, like good design, or security audits and not based on a lack of interest in attacking it.

Re:

[sl3xd]

I don't buy the lack of effort argument at all. It's the same battlefield, and the stakes are the same. Everything has penetration attempts, and the payoff is significant even with the smaller market share that OS X or Linux have. The source code to everything that handles the network touches is available online; most of it is from FreeBSD. Even the subject of this article (mDNS) has the full source online, and is an open-source project.

If you aren't exploiting a vulnerability in a piece of software you

Re:

[gordo3000]

because those 338 were actual bots trolling for an unprotected/easy to get into windows machine?

most of the studies I've seen measure the number of times some one tries to remotely contact your computer without your initiating in, so it's not surprising that when a bot trolls over your IP address it queries regaurdless of OS... that doesn't mean it's a bot which tries to open a mac os X hole.

now those types of attacks are probably 100% windows oriented. if your attack has to be completely automated to try

Re:

[LKM]

Here's a bigger news flash: a lack of exploited vulnerabilities is not the same thing as having better security.

I think you missed the point: Even if we assume that you are right, this doesn't really matter. To the normal user, it makes no difference whether he was not infected by a virus because the security is better, or whether he was not infected by a virus because the market share is lower. In either case, he was not infected by a virus.

You are right, of course, when you say that this should not mean

Re:

[dave420]

You're confusing "security" with "risk".

Standard Operating Procedure?

[ignipotentis]

I'm not opposed to temporarily disabling functionality to fix something potentially disastorous. However, I do hope Apple doesn't make it a practice of just turning things off once exploits are found. Turn it off, patch it, then re-enable it is fine by me.

Re:Standard Operating Procedure?

[Rosyna]

I'm not opposed to temporarily disabling functionality to fix something potentially disastorous.

There are three options when implementing UPnP:

1. Implement it to Microsoft's spec.
2. Implement it correctly (by choosing a direction in places the spec contradicts itself or real implementations).
3. Implement it securely.

Choose only one.

I do not think it is possible to implement UPnP securely and have it based on the spec. Also, the specific code they removed existed only for legacy NAT traversals and may not even be needed any more.

Re:Standard Operating Procedure?

[frdmfghtr]

I'm not opposed to temporarily disabling functionality to fix something potentially disastorous.

There are three options when implementing UPnP:

1. Implement it to Microsoft's spec.
2. Implement it correctly (by choosing a direction in places the spec contradicts itself or real implementations).
3. Implement it securely.

Choose only one.

I do not think it is possible to implement UPnP securely and have it based on the spec. Also, the specific code they removed existed only for legacy NAT traversals and may not even be needed any more.

Is this the same UPnP capability that the FBI recommeded disabling [pcworld.com] in any Windows environment due to security issues quite some time ago?

Re:

[sokoban]

Yes, it is. mDNSresponder has had numerous security problems in the past, but Apple has more or less just been playing "whack-a-mole" with the vulnerabilities. Hopefully, this will lead to some real fixes in the underlying code. When I heard about the whole infosec sellout thing, first thing I did was to disable mDNSresponder in the terminal. It's pretty trivial to do, and if you have something that NEEDS UPnP to function, you can always manually install the previous version or whatever.

Re:

[Tony Hoyle]

mDNSResponder is primarily for Rendezvous/Zeroconf/whatever it's called this week. That's what OSX uses itself and is what is implemented in printers etc. If they've hacked in UPNP capability (rather a shame, as Rendezvous is a far nicer protocol) then it's no surprise you get issues.

Re:

[Achromatic1978]

A phrase I almost never use: "mod parent insightful" ... apparently, in the eyes of some Apple devotees, stack overflows are a "spec issue".

Re:Standard Operating Procedure?

[Rosyna]

I call bullshit. You are saying it's not possible to implement UPnP without being vulnerable to a buffer overflow that may lead to remote code execution? Because that's one of the (at least) two issues at hand. Nice try on passing the responsibility for this bug to the spec writers (mentioning Microsoft seems to help too),

Uhm, UPnP is a microsoft created and controlled spec, this is why I specifically mentioned Microsoft. Some people think it's not microsoft related because Microsoft hides their name from being easily found on the site (they do the same thing with the Zune). But, do a whois [networksolutions.com] on upnp.org or look at many of the UPnP documents [upnp.org] and you will see Microsoft's name plastered all over.

Can you show me an implementation of UPnP that hasn't had bugs? According to wikipedia [wikipedia.org] security is a problem with the spec itself. It's getting so bad that some major router manufacturers are disabling the routing of UPnP packets by default on their non-consumer (and a few consumer) networking appliances.

And my list was more of a dig at OOXML rather than being security related.

Um, so ?

[Space cowboy]

Apple find a vulnerability (before the worm is announced, according to TFA), and remove that vulnerability in their next security update.

I'm guessing there's a regular scheduled security update process in Apple. If you can't fix it in time for the next patch-release, isn't is *better* to temporarily disable it ? I really doubt it's a permanent removal of the feature - they're just being responsible.

Simon.

ITS A LIE

[Conor Turton]

I'm sorry but the article must be a lie. The Apple fanboys assure me that there's no risk of vulnerabilities. Therefore, the article is wrong - it does not exist.

Re:

[weak*]

Mod parent up -- way to think different (tm).

OT but...

[Anonymous Coward]

I often wonder why the British (and now some Americans) say "Apple go on to identify..." Apple is ONE company. Shouldn't that be the singular "Apple goes on to identify"? If it were both Apple and Microsoft than indeed it would be "Apple and Microsoft go on to identify".

Yes, Apple is made up of many people; but my car is made up of many parts. You don't say "my car need gas" do you?

This perplexes me, can someone explain it? Sorry if it's completely OT (except that this (to me) error is in the blurb).

-mcgre

Re:

[Space cowboy]

Companies are generally considered to be plural entities in "real" English [grin]. I suppose we put a higher value on a collection of humans compared to a collection of metal parts...

If you prefer, consider mentally replacing "Apple" with "the people who work at Apple"...

Simon

Re:

[cHiphead]

In the US corporations are give status as a legal 'entity' not 'entities', ergo there does exist a tolerable bit of logic to use singular in this case.

Cheers.

   

Re:

[delire]

In the US corporations are give status as a legal 'entity' not 'entities'

Correct, and while they have similar legal rights as individuals they have a gazillion times the power. A recipe for disaster but that's a story for another day.

Recommended reading [thecorporation.com].

Re:

[TheRealMindChild]

You have to be kidding. Just because a company represents plural people, doesn't mean you treat it as plural. I herd of buffalo is many buffalo, but it is a single herd.

You remind me of the soulless boogers that treat the word "data" as plural ("The data are coming from the internet").

Re:

[howlingmadhowie]

cf. police

it hearkens back to the day when a company was just that, a company. nowadays, the most important thing about a company is that it is a legal entity, not that it consists of people. but i shouldn't get started on that...

Re:

[mr_matticus]

No, it isn't grammatically incorrect. Plural markers are not always expressed at the articulatory or orthographical levels, and companies are treated as plural entities by the conventions used in the UK and many other Commonwealth English countries. It's got nothing to do with being incorrect, since there is no "correct" grammar and no universal English. You can't apply your local grammar to other locations any more than you can apply your local accent to other speakers. Treating a company like an indiv

Re:

[Zhe Mappel]

It's got nothing to do with being incorrect, since there is no "correct" grammar and no universal English. You can't apply your local grammar to other locations any more than you can apply your local accent to other speakers.

Just so -- now tell it to the British Council. ;-)

Re:

[Tony Hoyle]

No they shouldn't. Teams and companies are collective nouns.

Just because in the US you have this strange idea that companies are only one person (maybe all the employees cease to be individuals when they work there?) don't try to convince the rest of the world of it.

Apple ... Worm

[zariok]

So an "apple" is threatened by a "worm"... you don't say.

Re:

[IgLou]

I really thought this story was going to be about bioengineering and not computing. I think one aspect of my reality blurred somewhere.

Hmmm...

[catdevnull]

Isn't mDNSResponder and Open Source package ported for OS X?

  http://developer.apple.com/opensource/internet/bon jour.html [apple.com]

Is Apple the developer of mDNSResponder or are they just using it?

Re:Hmmm...

[shawnce]

An Apple employee (Stuart Cheshire [stuartcheshire.org]) is one of the authors of the RFC(s) related to mDNS [multicastdns.org], etc.

mDNSResponder originated from Apple.

Re:

[shawnce]

I should note that UPnP was in many ways a parallel effort by Microsoft and others.

Re:

[TheRaven64]

The ZeroConf standards began life when Apple started switching from AppleTalk to IP for networking. There were a few things that IP couldn't do that AppleTalk could, so they started working on a way of implementing them on top of IP. These were submitted to the IETF, and approved. They implemented them in mDNSResponder and branded them 'Rendezvous.' One trademark lawsuit later, they re-branded them as 'Bonjour.' They also released the mDNSResponder code under a permissive license, to encourage the adop

Sensationalism by Zonk

[Night Goat]

Hey Zonk, how about using more reputable sources than one guy's blog for your links? I know they were picked by the submitter, but linking only to a blog and then putting a question mark after the headline is sketchy. I can't put much faith in the article if I can't be sure that it's not just a blogger talking out of his ass.

The blog has been corroborated

[commodoresloat]

Besides the blog cited, I saw something about this at this link [slashdot.org].

Shouldn't this be optional?

[G4from128k]

Although I can understand the "secure-by-default" ethos, it would seem to me that some people could leave the vulnerable service active because they only use their computer in firewalled physical LAN environment. Does this update come with a new preference panel entry to reenable this mDNS service?

At least they disabled it!

[Opportunist]

I mean, it was a given that, given increasing market share, Apple becomes interesting for malware. No system is 100% secure.

But at least they decided that it's better to disable the feature and minimize the damage to the net as a whole (and yes, even if you don't have an Apple, a worm damages you by clogging your tubes with packets trying to spread itself). MS decided that it's better to keep the insecure service up and running 'til it can be addressed.

Question for 100: Still getting sober/blaster packets? I do.

Re:

[GWLlosa]

The reason Apple disables features where Microsoft doesn't has more to do with their target audience than any kind of company 'ethos'. If MS advises people that vulnerabilities exist with and , and proceeds to disable them, actual businesses that rely on features and will be very upset and potentially out a pile of money. Instead, MS advises of the vulnerability, so that these businesses can instead rely on their IT guy hardening the system against the vulnerability (seal the appropriate port on the fi

Re:

[Opportunist]

Would be news to me that MS cares whether a company using its product suffers productivity loss.

My guess is that it was simply more convenient to do NOTHING. And this security hole (and disabling it) is far from a product-crippling effect that you describe. More accurately, it would be a bug in Office's Thesaurus and disabling it. Yes, it would inconvenience some people, but it's far from crippling the product into uselessness.

Re:

[Chang]

Microsoft has done this with their products before.

Outlook was plagued by viruses and Microsoft responded by releasing a patch that simply refused to allow the user to open certain types of attachments. There was no override in the original version of the patch.

http://www.slipstick.com/outlook/esecup.htm [slipstick.com]

When Exchange 5.5 was targeted by reverse-NDR spam attacks Microsoft shipped a patch that allowed the user to simply turn off non-delivery reports. Unfortunately the patch didn't work as described on many

Re:

[GWLlosa]

Each of the links you supplied seems to indicate that the user was able to 're-enable' said features in a relatively straightforward way (although the initial outlook patch was missing this, it was added). Is this the case for the Apple feature in question? I have no idea.

Re:

[Weedlekin]

Microsoft also removed some standard capabilities from raw sockets in XP SP2 to make it less suitable as a platform for launching certain types of attacks. Unfortunately, this didn't make it any less vulnerable to somebody who was launching said attacks against XP SP2, but it did manage to disable network security testing such as NMAP, thereby preventing admins from using XP SP2 as a platform for ensuring that networks containing other XP SP2 machines weren't vulnerable to that type of attack in the first p

Microsoft has done pretty much that...

[argent]

"I mean, imagine the fallout if there was a bug that allowed malformed MS word documents being loaded by Office 2007 to result in security issues, and Microsoft responded by disabling the load feature."

Apple didn't disable Bonjour, they disabled one of the components of Bonjour. That's not like disabling loading, it's like refusing to load certain files.

There was a bug that allowed autoexec macros in MS Word documents being loaded by Office 97 to result in security issues, so Microsoft responded by making i

Re:

[Rosyna]

Apple didn't disable Bonjour, they disabled one of the components of Bonjour. That's not like disabling loading, it's like refusing to load certain files.

Actually, it's not even really a component of Bonjour. It just happened to be a service in the mDNSResponder process, which also does Bonjour. Non-Mac OS X mDNSResponder clients do not have this recently disabled UPnP service.

Apple approach better in all cases

[SuperKendall]

I mean, imagine the fallout if there was a bug that allowed malformed MS word documents being loaded by Office 2007 to result in security issues, and Microsoft responded by disabling the load feature.

Consumers: Computer is patched En Masse, network as a whole is protected.

Company: Would note that vulnerability disables something they use, so they simply would not deploy the patch. Companies have control over Microsoft patches unless they are very small, and if they are that small they are probably not go

Re:

[Opportunist]

Because companies spend more money on software than consumers do. Duh.

Next... Open Safe Files?

[argent]

Now will Apple disable "Open Safe Files after Downloading" in Safari, or at the very least stop treating SOFTWARE INSTALLERS, ZIP ARCHIVES, and DISK IMAGES as "Safe" files? OK, this isn't a Mack Truck sized hole like ActiveX (you can only drive *small* trucks through it) but it's still vastly dumb.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

Remote holes are a high level threat, but when you look at Windows, you won't see so many remote holes either. Besides, putting a production machine directly to a hostile network is very dumb.

The majority of threats and exploits on Windows are based on user stupidity, coupled with exploits in third party programs. Now, IE isn't really a third party program, but its weak security is a key entry point for exploits. MPack relies heavily on IE security holes (which are STILL unfixed in 7.0, btw...), as do many

Apple did the right thing

[mcrbids]

Yes, I understand that there are certainly dissenting opinions here. But (IMHO) the thing that most Slash-bots complain about is that Microsoft will

A) Pick a feature that's dumb. (like embed a scripting language into an image format, or give a spreadsheet scripting language access to the filesystem)

B) Choose to preserve the dumb feature in spite of known security problems.

C) Treat the resulting backlash as a "PR issue" rather than a technical one.

D) Sometimes, if the backlash gets bad enough, they'll hack in security restrictions in response to specific known implementations that take advantage of the vulnerability rather than fix the vulnerability. EG: fixes that look for a XXX worm trace, rather than fix the thing that XXX worm exploits. (See anti-virus [wikipedia.org])

Apple is doing the right thing, here, folks! It may or may not be that the feature mentioned is analogous to (A) above. Either way, Apple is chosing security over features, even though features are important.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[UnknowingFool]

I'm tech savvy to understand everything being discussed but what is the potential impact of Apple's actions? From what I understand they are disabling (temporarily) their support for UPnP. This may affect routers and gateways. Are they disabling a function that is important or something that is barely used or somewhere in between? I've disabled UPnP on my router and Windows PC so would this even affect me?

Re:

[sessamoid]

This guy [slashdot.org] seems to think it's not all that important.

Re:

[jrumney]

You lose the ability for software on your PC to tell your router that it wants an incoming port to be forwarded to it. The feature is commonly used by VoIP, IM and P2P programs, but most software has less efficient alternatives to fall back on (connecting via a centralized TCP proxy usually) if it can't open externally visible incoming ports.

Have you been paying attention?

[argent]

"It almost certainly took them more effort to disable the feature than it would have to fix the broken code."

Leaving out a module? It's questionable whether they should be trying to hack some kind of limited uPnP compatibility into Zeroconf in the first place, especially if (as alleged) they're using it for "legacy NAT traversal"... this just screams "bad idea" to me.

They brag about how little they know compared to what it takes to keep a Windows machine happy

They brag about how little they NEED TO KNOW com

"additional validation" or "disabled support"

[czmax]

If you follow the link to the apple security update page there are actually two vulnerabilities associated with UPnP IGD. For one of them apple indicates that "this update addresses the issue by performing additional validation when processing UPnP protocol packets in iChat". For mDNSResponder apple indicates "this update addresses the issue by removing UPnP IGD support.

Clearly something is unclear since iChat is obviously still using UPnP IGD, likely as a client?

But why is the mDNSResponder using UPnP IGP anyway? mDNS is for service discovery etc and is basically a competitor to UPnP (I thought). Perhaps there is a way for mDNSResponder to leverage UPnP IGP to broadcast service messages (e.g. bonjour) across a local NAT? If so I've never seen nor heard of this working -- so perhaps what they're disabling is vulnerable code that wasn't doing anything anyway?

Re:

[jackjeff]

Acutally I was also wondering what this feature was used for? Anyone knows?

My guess is that since Apple decided to unilaterally disable the feature (without giving any option to activate it for the mighty or protected folks) it is because it was probably never used.

Who wants to bet...

[subl33t]

... that the iPhone will be the vector that finally gets Macs infected with a virus/worm that will replicate in the wild?

I bet there's a secret cabal at Microsoft that is working on this very thing.

Now that Apple has disabled uPnP compatibility....

[argent]

Now that Apple has disabled uPnP compatibility will the original anonymous extortionist reveal the hole that he claims he didn't want to reveal lest Apple come up with some excuse for not disabling whatever his hole was, or will we hear more FUD from him?

Re:Now that Apple has disabled uPnP compatibility.

[Jeremy_Bee]

He's probably already on this thread, calling everyone "fanboiz," and that is about as much as he has ever contributed IMO.

Big Loss!

[reed]

UPnP kind of sucks anyway. Maybe this will get people to move to MDNS-SD, which is simple, straightforward, has several implementations (both open source and not).

Re:

[DECS]

For those confused by acronyms and internal names:

mDNS is Multicast DNS, an standard for resolving host names collaboratively on a local subnet using APIs similar to standard server/unicast DNS. It is half of what Apple calls Bonjour.

DNS-SD is DNS Service Discovery, which allows devices with shared services to advertise themselves on a local network.

Together, they provide much of the simple "just works" networking that AppleTalk delivered in 1986: devices discover each other and auto configure without any c

Re:

[Tony Hoyle]

Apple is also working on Wide Area Bonjour, which allows a Bonjour-savvy client to register with an external DNS server, authenticate, and obtain DNS location discovery and naming information for services and devices behind a NAT layer.

Actually they're not just working on it it's live.. if you have a server that provide a service it can register with the global mdns responder and be available worldwide.

It's the kind of thing that DNS SRV records are designed for (and rarely got used for) except you don't ha

Re:

[DECS]

Well the subject under discussion was Apple's mDNS, its UPNP implementation, and the security issues that resulted in Apple simply turning UPNP off.

You can give yourself points for knowing unrelated details about Microsoft's non-standard, security challenged architecture. The number of devices using UPNP as anything other than a way to play games over a router are really insignificant however.

The wikipedia article you linked to points out:

- UPnP uses HTTP over UDP (known as HTTPU and HTTPMU for unicast and

Apple should have stayed vulnerable

[objekt]

Silly Apple, fixing the problems. Don't they know this leaves them open for taunting.

Knee-jerk PC fanboi: "Oh, I guess Apple isn't so secure after all, huh?"

Mac-fanboi: "Umm, they fixed a problem with some 3rd-party software before it became an issue."

Knee-jerk PC fanboi: "Yeah, old Apple finally getting some of what Windows gets."

Mac-fanboi: "No, they proactively fixed the problem"

Knee-jerk PC fanboi: "Yep, might as well just use Windows"

Mac-fanboi: "You do that, then."

Re:

[Rui del-Negro]

It's not just Dreamweaver; Photoshop CS3 does the same. Not only that, but it installs the service with the name "##Id_String1.6844F930_1628_4223_B5CC_5BB94B87976 2 ##", so it's not exactly easy to spot.

Here is a page with instructions about how to remove it (read the full thread; the first post has an error):

http://www.x64bit.net/site/board/index.php?showtop ic=4214 [x64bit.net]

Re:

[dave420]

It's Apple's software, not Microsoft's. Try again.

Re:

[prockcore]

It's actually Apple crap.

Re:Does anyone use mDNS?

[Tony Hoyle]

mDNS - Apple
UPNP - Microsoft

Apple have disabled the Microsoft protocol. Won't affect them in the slightest I'd expect.

mDNS is actually fairly useful.. you can advertise servers across the network using it, and it's an easy protocol to implement (a few hundred lines of code will do it).

UPNP is an XML infested mess with a huge spec that I wouldn't try to implement unless I had a deathwish. And in all that mess they forgot to add any user or machine verification.. the upshot being if you enable it on a router you can disable its firewall with a 10 line perl script.

Re:

[GaryPatterson]

Thanks for this comment. I'm not a networking clever-person and your bit about disabling the firewall concerns me somewhat. I checked my router and discovered that UPNP was on by default. It's off now, and I'm not seeing any less functionality.

Moderations tell all

[mattgreen]

Just because you mark it flamebait doesn't make it less true.

Re:

[node 3]

I think it has more to do with the 'Macs don't get viruses.' ads we see every now and then

And they fucking don't. What's wrong with that? Macs DON'T GET VIRUSES. There were some for OS 9, but there are none (beyond a few "proofs-of-concept") for OS X. NONE.

That doesn't mean viruses are impossible, nor that they will never come, just that they haven't yet.

Linux/*BSD get their fair share of worms, but also have legions of nerdy fanboys to fix vulnerabilities, and no one important foolishly calls them impenetrable.

No one calls OS X impenetrable either. Strange how you jump from viruses to worms, btw.

OS X is very much like Linux, and very much unlike Windows, where with the former, you know the potential almost certainly exists for your machine to be hac

Re:

[node 3]

[a]I never said anything was wrong with that; just that it's [b]stupid to use it as a selling point, when it's [c]primarily due to their low market share.

[b] contradicts [a] and [c] is an unproved assertion.

To expand, if there's nothing wrong with the fact that there are no viruses for OS X, why is it stupid to promote that fact? As for assertion [c], OS X has a larger market share than Linux, yet there exist actual Linux viruses.

Funny, I could have sworn that's [viruses] what the article was about.

The article is about a worm *threat* from a worm that *doesn't exist* beyond the (claimed) system of a security researcher. Ignoring the conflation of virus and worm, I covered this when I excepted "proofs-of-concept".

A worm is a virus that propagates over a network

No, it's no

Re:Moderations tell all

[node 3]

I'm just going to collect a few of your more inane tidbits together here:

"Apple failed" (they did not)

"OS X is every bit as crash prone and unreliable as Windows" (It's crash prone, but not "every bit as crash prone")

"not so with Apple, which radically changes their OS every few years" (Two points here: 1. if this is true, it belies your following statement 2. it's not true)

"There is no inherently superior security in OS X" (the overall design and implementation of OS X is more secure than the overall design and implementation of XP. Vista is a vast improvement over XP, but it remains to be seen how this works out)

"those people who blame Microsoft for vendor lock-in" (straw man, no one claims this)

"OS X is the ultimate in vendor lock-in" (OS X is an extremely open system. The only "lock-in" is with their hardware, which really isn't that big of a deal.)

For someone who claims to be fighting against religious zeal, you sure come across fanatically angry. You make the basic fallacy that, "Windows is flawed, OS X is flawed, therefore Windows and OS X are equally flawed," which is complete nonsense.

There are people who get fanatical about Macs, but you're lumping a whole lot of rational people in with them, and fully deserve flaimbait or troll modding for it.

the minute you take a bite of the precious worm-ridden Apple, mods put you to sleep for a year

No, stupid shit like, "eat crow" gets modded down. Eat crow for what? A security flaw existed? It was patched? WTF? A lot of anti-Apple sentiment gets modded up, as well, though generally the more rational stuff, like people complaining about vendor lock-in (like you did above) or various other things that actually make sense.

Not to mention the fact that both you, and the OP are both (at present) modded positively, which makes your cries of being oppressed a bit silly.

Re:

[node 3]

yes, they did [fail] unless you consider near-Bankruptcy success

They were never near bankruptcy, and even if they were, that does not mean they failed (although I'd agree that that would have been a good sign of potential failure). They were definitely on a trajectory for failure in the mid-90s, but they were nowhere near *actual* failure. Ever.

"OS X is every bit as crash prone and unreliable as Windows" (It's crash prone, but not "every bit as crash prone")

Give it time[a]. Defects per line of code[b] in their software are probably[c] sitting around average for the OS industry. This is statistically provable[d].

Ok, this was so absolutely non sequitur, I had to add what I wrote to provide context.

[a] What does time have to do with it? Are all the crashes just building up in preparation for a crash deluge?
[b] Defects do not necessarily

Re:TV add

[Farmer Tim]

"Hi, I'm a Mac"

"And I'm a PC. Hey Mac, I heard you don't get viruses. Congratulations."

*PC Shakes Mac's hand*

"That's right, PC. But I do have worms."

*PC starts wiping hand furiously*

Re:

[Achromatic1978]

Hey, fucktard, here in the real world, people don't get pissy about things like this. Especially when if you look at anything from court documents to newspapers, bold and / or caps text is a way to emphasize a word / name as a subject.

But Apple fans shudder at anything remotely resemble brand dilution.